[lug] bash scripting question

Tkil tkil at scrye.com
Sun Nov 20 14:53:27 MST 2005 

>>>>> "Dave" == David L Anselmi <anselmi at anselmi.us> writes:

Dave> Tkil wrote:
>>>>>>> "Hugh" == Hugh Brown <hugh at math.byu.edu> writes:
Hugh> for i in *;do command "$i"; done
>> Interesting that this is actually more robust than the "read"
>> version.

Dave> Except when * expands to a list that is too long for the command
Dave> line.  

Right, although I tend to reach for "find ... -print0 | xargs -0"
before I think of the shell "read".  Mostly habit, but it's more
secure (see next point), and it's more efficient: if the destination
process can accept more than one filename at once, you only have one
program invocation per MAX_ARGS compared to one per file.

Dave> That's currently a bigger problem for me than spaces or newlines
Dave> in file names

Understood, but there are cases where newlines in files can actually
cause a security risk if not handled properly.  I don't know if
there's a canonical attack that uses this, but you could easily cause
mischief.  Leaving aside the fact that you'd need pretty good
privileges to execute this anyway... First, make a time bomb in /etc:

# cd /etc
# touch foo
# chown digruntled foo
# perl -e 'rename "foo", ".hidden\npasswd"

Now, a few days later, the disgruntled employee is fired and the admin
goes to clean up the system:

# cd /etc
# find . -user disgruntled -print | xargs rm

Boom!

(Ok, this is a silly example, and requires all sorts of presumptions,
but this is the style of attack that using "-print0" and "xargs -0"
avoid; since it doesn't cost me anything but a few extra keystrokes,
it's the habit I've gotten into.)

Dave> (though I bet I could drive some coworkers crazy putting a
Dave> newline in a file).

Better living through strategic irritation?  :)

Dave> <trivia>Do you know what characters aren't allowed in Unix file
Dave> names? There are only two.</trivia>

Heh.  From the message you're replying to:

  NUL and '/' are the only two characters that are forbidden at the
  filesystem level

Dave> ls always uses -1 when writing to something that isn't a tty.
Dave> You don't need to put it in explicitly.

Yeah, it's a habit of mine.  *shrug*  Should maybe fix it.

Happy hacking,
t.

More information about the LUG mailing list